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Notes for Miscellaneous Lectures 


Leonid A. Levin* 
Boston University^ 


Abstract 

Here I share a few notes I used in various course lectures, talks, etc. Some may be 
just calculations that in the textbooks are more complicated, scattered, or less specific; 
others may be simple observations I found useful or curious. 


1 Nemirovski Estimate of Mean of Arbitrary 
Distributions with Bounded Variance 

The popular Chernoff bounds assume severe restrictions on distribution: it must be cut¬ 
off, or vanish exponentially, etc. In [Nemirovsky YudinjU an equally simple bound uses no 
conditions at all beyond independence and known bound on variance. It is not widely used 
because it is not explained anywhere with an explicit tight computation. I offer this version: 

Assume independent variables X t (oj) with the same unknown mean m and known lower 
bounds B 2 on inverses l/ty of their variance. We estimate m as M(uj ) with probability 
P(±(M— m) > e) = p ± < 2~ k for k close to D(Pje) 2 /12. First, we normalize X / to set e — 1, 
spread them into n groups, and take in each group j its P 2 -weighted mean Xjioj). 

The inverse variance bounds b 2 for Xj are additive; we grow groups to assure bj > 2 and 

to increase the sum k of hights hj= log 2 'A J . (The best h/b 2 > 1/12 comes with b 2 fa 6.)@ 
For s C [1, n], let b s = T\ jes h P Let L= U t L t consist of light s, whose largest superset s' 
with b 2 , < 6[i >n ] has ||s||+t elements. As sEL t do not include each other, ||L t || < (|- n / 2 ]) ^ 
2 n y /, 2/(7r?z), by Sperner’s theorem, and since n\ = (n/e) n ^j2im + 9 n , 7t/3 <9 n < e 2 — 2 tt. 

Our M is the (logU)-weighted median of Xj. Let S ± (u>) = {j : ±(xj — m) < 1}. Then 
±(M(u)—m) > 1 means ^(u;) EL. By Chebyshev’s inequality, pf U p(j ^ S^) < l/(b 2 +l). 
We assume pf = l/(6 2 +l): the general case follows by so modifying the distribution without 
changing m, bj, or decreasing p + (respectively p~). If s E L t , S ± (uj ) = s has probability 

pi = i 2 ./ IK'A * 1 ) < 4 "‘ II *>i/(6?+l) = 4-‘2-(‘+”> . So, 

j<n j<n 

P + + P- < E E (Pt + P7) < 2(E 4-‘)2-<* + ”>2y2/(7m) < 2~ k ^5/H . U 

t> o seLt t >o 


* Supported by NSF grant 0311411. 

^Computer Science department, 111 Cummington St., Boston, MA 02215, USA 

1 A.S.Nemirovsky, D.B.Yudin. Problem Complexity and Method Efficiency in Optimization. Wiley, 1983. 

2 Giving up tightness, the rest may be simplified: assure bj > 6= f \/2 + 1 and replace bj, hj with b , 1/2. 
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2 Leftover Hash Lemma 


The following Lemma is often useful to convert a stream of symbols with absolutely unknown 
(except for a lower bound on its entropy) distribution into a source of perfectly uniform 
random bits b G Z 2 = {0,1}. 

The version 1 give is close to that in [hillJU, though some aspects are closer to that 
from [GlJU. Unlike [GL], 1 do not restrict hash functions to be linear and do not guarantee 
polynomial reductions, i.e. 1 forfeit the case when the unpredictability of the source has com¬ 
putational, rather than truly random, nature. However, like [GL], 1 restrict hash functions 
only in probability of collisions, not requiring pairwise uniform distribution. 

Let G be a probability distribution on Z% with Renyi entropy — log Yx X G 2 (x ) > m. Let 
fh(x) G Z%, h £ Z ! 2 , jgZj be a hash function family in the sense that for each x, y ^ x the 
fraction of h with fh(x) =fh(y) is < 2~ fe +2 _m . Let U t be the uniform probability distribution 
on Z\ and s — m — k — 1. Consider a distribution P(h,a) = 2 ~ t G(f^ 1 (a)) generated by 
identity and / from U l G. Let L^P, Q) = J2 Z \P( Z ) ~ Qi z )\ be the Lx distance between 
distributions P and Q = U i ,i = t + k. ft never exceeds their L 2 distance 

l 2 (p, q) = . 

Lemma 1 (Leftover Hash Lemma) 

Li(P,EP) < L 2 (P,P i ) < 2~ s/2 . 

Note that h must be uniformly distributed but can be reused for many different x. These 
x need to be independent only of h, not of each other as long as they have > m entropy in 
the distribution conditional on all their predecessors. 


Proof. 

(L 2 (P,(7)) 2 = 


2‘Y,P(h,af + 2''y(2~ 2i - 2 PiVi 2 ') = 2’ V Pi7.„ nr - 1 

h,a z h,a 

-1 + 2'XGMG(t/)2- 2, y ||{A: f h (x) = f H (y) = o}|| 


x,y 


-l+2*-‘Y.G(x)G(y)\\{h-.h(x) = h(y)}\\ 


x,y 


= -1 + 2 


k—t 


T.G(x) 2 2‘+ V G(x)G(y)\\{h: h(x) = My)}\\ 


x,y^x 


< -1 + 2 k 2~ m + 2 k -\l - 2~ m )2 t (2~ k + 2~ m ) < 2 


3 Johan Hastad, Russell Impagliazzo, Leonid A. Levin, Michael Luby. 

A Pseudorandom Generator from any One-way Function. Section 4.5. SICOMP 28(4):1364-1396, 1999. 
4 Oded Goldreich, Leonid A. Levin. A Hard-core Predicate for any One-way Function. Sec.5. STOC 1989. 
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3 Disputed Ballots and Poll Instabilities 

Here is another curious example of advantages of quadratic norms. 

The ever-vigilant struggle of major parties for the heart of the median voter makes many 
elections quite tight. Add the Electoral College system of the US Presidential elections and 
the history may hang on a small number of ballots in one state. The problem is not in the 
randomness of the outcome. In fact, chance brings a sort of fair power sharing unplagued 
with indecision: either party wins sometimes, but the country always has only one leader. 
If a close race must be settled by dice, so be it. But the dice must be trusty and immune to 
manipulation! 

Alas, this is not what our systems assure. Of course, old democratic traditions help 
avoiding outrages endangering younger democracies, such as Ukraine. Yet, we do not want 
parties to compete on tricks that may decide the elections: appointing partisan election 
officials or judges, easing voter access in sympathetic districts, etc. Better to make the 
randomness of the outcome explicit, giving each candidate a chance depending on his/her 
share of the vote. It is easy to implement the lottery in an infallible way, the issue is how 
its chance should depend on the share of votes. 

In contrast to the present one, the system should avoid any big jump from a small 
change in the number of votes. Yet, chance should not be proportional to the share of 
votes. Otherwise each voter may vote for himself, rendering election of a random person. 
The present system encourages voters to consolidate around candidates acceptable to many 
others. The ‘jumpless’ system should preserve this feature. This can be done by using a 
non-linear function: say the chance in the post-poll lottery be proportional to the squared 
number of votes. In other words, a voter has one vote per each person he agrees withi 
Consider for instance an 8-way race where the percents of votes are 60, 25, 10, 1, 1, 1, 1, 1. 
The leader’s chance will be 5/6, his main rival’s 1/7, the third party candidate’s 1/43 and 
the combined chance of the five ‘protest’ runners 1/866. 

This system would force major parties to determine the most popular candidate via 
some sort of primaries, and will almost exclude marginal runners. However it would have 
no discontinuity rendering any small change in the vote distribution irrelevant. The system 
would preserve an element of chance, but would be resistant to manipulation. 


5 The dependence of lottery odds on the share of votes may be sharper. 

Yet, it must be smooth to minimize the effects of manipulation. Even (trusty) noise alone, 
e.g., discarding a randomly chosen half of the votes, can “smooth” the system a little. 


3 



4 Proofs in Three Envelopes 

Below is a slightly simplified account of Zero-knowledge proofs that were developed in [Goldwasser 
Micali Rackoff^] Goldreich Micali WigdersonQ Shamiiq] . I wrote this account under the influence 
of Manuel Blum’s construction^ during several conversations with him when I visited him in 1986. 

Consider an undirected graph: g E v 2 , (a, b) E g iff (b, a) E g. Its coloring is a mapping 
C : v —> {1,2,3}, s.t. each edge (a, b) E g has distinct colors: C(a) / C(b). Since 3-colorability 
is NP-complete, any mathematical statement can be reduced in polynomial time to a statement of 
graph colorability, so that any proof of either statement can be transformed in polynomial time into 
the proof of the other. We consider only graphs composed of 3 isomorphic connected components. 
Any coloring of such graph can be made balanced , i.e. such that the nodes of each degree are equally 
spread between the 3 colors. We consider only such balanced colorings. 

The Prover (P) uses a random string oj to generate random enumerations p : v —> v of nodes 
and q : g —* g of edges. Then P makes three envelopes: E\(g,uj), E 2 (g,u), E${g,u, C). E\ contains 
p and the mapping of reciprocal edges: q(a , b) —> q(b, a). E 2 contains the mapping of edges to their 
source nodes: q(a,b) —> p{a) and E$ contains their coloring q(a,b ) —► C(a)). The verifier (V) then 
chooses any two of the envelopes and checks their consistency. 

If the envelopes do not represent a correct coloring then some two of them are obviously incon¬ 
sistent with the graph or with each other. It is also easy to see that the joint probability distribution 
of any two envelopes does not depend on (balanced) coloring and can be trivially generated from 
the graph alone. Ei,Eo do not mention C at all. E \, A 3 contain just p and an unrelated to it 
balanced mapping of permuted edges to their colors. E 2 , E% contain the permutation and colors of 
nodes and also maps to them their permuted outgoing edges with unspecified destination. 

So the Prover gives away no information besides the validity of his proof, while the verifier has 
a 1/3 chance to catch him if the proof is incorrect. Repeating the game k times with independent 
uj decreases the chance of fake proofs to remain un-exposed to (2/3) fc . Of course, for implementing 
such game one needs something like cryptography to commit the Prover to the content of the 
envelopes, without revealing it before he learns the verifier’s choice. 

4.1 Graph non-isomorphism 

A simple protocol of [Goldreich Micali Wigderson] shows in zero knowledge that an isomorphism 
of two graphs g\,g 2 is known. P first sends V a random permutation h of g\. Then V chooses at 
random i E {1,2} and P sends V the isomorphism of h to c/*. Non-isomorphism [Goldreich Micali 
Wigderson] has almost as simple protocol. Let g be the graph whose connected components are g\ 
and g 2 ■ V sends P a random permutation h of g and proves in zero-knowledge that (s)he knows 
an isomorphism of h to g. Then P tells V if the permutation maps the two components of g onto 
themselves or onto each other. 


6 Shafi Goldwasser, Silvio Micali, Charles Rackoff. The Knowledge Complexity of Interactive Proofs. 
SICOMP 18:186-208, 1989. Earlier version in STOG1985. 

7 Oded Goldreich, Silvio Micali, Avi Wigderson. Proofs that Yield Nothing but their Validity or All 
Languages in NP have Zero-Knowledge Proof Systems. JACM , 38(1):691 729, 1991. Earlier in FOGS'-1986. 

8 Adi Shamir. Zero-Knowledge Proof for Knapsacks. Cited in: Joe Kilian, Silvio Micali, Rafail Ostrovsky. 
Minimum Resource Zero-Knowledge Proof. [FOCS] 1989, pp. 474-479. 

9 Manuel Blum. How to prove a theorem so no one else can claim it. 

Proc. 1986 International Congress of Math. Also, Personal Communication. Berkeley, 1986. 
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